Apple recently released iOS 14.5 and iPadOS 14.5 which include a security update that addresses almost 50 vulnerabilities including several critical RCE and privilege escalation vulnerabilities. Qualys recommends security teams to immediately update all devices running iOS and iPadOS to the latest version.

The vulnerabilities affect iOS and iPadOS components including Accessibility, CFNetwork, CoreFoundation, FaceTime, Safari, ImageIO, Kernel, Preferences, Safari, WebKit, and others. As part of the releases, Apple has also made major enhancements related to zero-click (or 0-click) exploit protection that make it more difficult for hackers to take control of an iPhone. Zero-click exploits allow a hacker to take over an iPhone with no interaction from the target, as evidenced by this zero-click attack reported in December 2020. Apple device users will benefit from the additional protection provided by these enhancements.

A Qualys detection (QID) is now available to identify devices missing this latest version.

WebRTC Remote Code Execution (RCE) Vulnerability

Apple released a patch to fix an RCE critical vulnerability (CVE-2020-7463). This vulnerability has a CVSSv3 base score of 8.8 and should be prioritized for patching as a remote attacker may be able to cause unexpected system termination or corrupt kernel memory. It affects iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Foundation Local Privilege Escalation Vulnerability

Apple released a patch to fix a local privilege escalation critical vulnerability (CVE-2021-1813). This vulnerability has a CVSSv3 base score of 7.8 and should be prioritized for patching as a malicious application may be able to gain root privileges. It affects iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Kernel Component Remote Code Execution (RCE) Vulnerability

Apple released a patch to fix a critical RCE vulnerability (CVE-2021-1851). This vulnerability has a CVSSv3 base score of 7.8 and should be prioritized for patching as an application may be able to execute arbitrary code with kernel privileges. It affects iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Libxpc Race Condition Vulnerability

Apple released a patch to fix a race condition critical vulnerability (CVE-2021-30652). This vulnerability has a CVSSv3 base score of 7.8 and should be prioritized for patching as a malicious application may be able to gain root privileges. It affects iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple Neural Engine Remote Code Execution (RCE) with Kernel Privileges Vulnerability

Apple released a patch to fix an RCE critical vulnerability (CVE-2021-1867). This vulnerability has a CVSSv3 base score of 7.8 and should be prioritized for patching as an application may be able to execute arbitrary code with kernel privileges. It affects iPhone 8 and later, iPad Pro (3rd generation) and later, and iPad Air (3rd generation) and later.

Discover Vulnerabilities and Take Remote Response Action Using VMDR for Mobile Devices

Discover Assets Missing the Latest OS Version

The first step in managing these critical vulnerabilities and reducing risk is to identify vulnerable assets. Qualys VMDR for Mobile Devices makes it easy to identify the iOS and iPadOS assets not updated to the latest version: iOS 14.5 and iPadOS 14.5. To get the comprehensive visibility of the mobile devices you need to install Qualys Cloud Agent for Android or iOS/iPadOS on all devices. Device onboarding process is easy, and the inventory of mobile devices is free.

Query: vulnerabilities.vulnerability.title:iOS 14.5

Once you get the list of assets missing the latest security patch, navigate to the Vulnerability tab and apply the Group By “Vulnerabilities” to get the list of the CVEs which Apple fixes in the iOS and iPadOS 14.5 release. Qualys VMDR helps you understand the level of risk when an unpatched device holds corporate data and connects to your corporate network.

QID 610334 is available in signature version SEM VULNSIGS-1.0.0.32, and there is no dependency on any specific Qualys Cloud Agent version.

Dashboard

With the VMDR for Mobile Devices dashboard, you can track the status of the assets on which the latest security update is missing. The dashboard will be updated with the latest data collected by Qualys Cloud Agent for iOS/iPadOS devices.

Remote Response Action

You can perform the “Send Message” action to inform the end user to update the devices to the latest OS version. Also, you may provide step-by-step details to update the security patch.

We recommend updating to the latest iOS and iPadOS version for the assets where vulnerabilities are detected as “Confirmed”.

Get Started Now

Qualys VMDR for Mobile Devices is available free for 30 days to help you detect vulnerabilities, monitor critical device settings, and correlate updates with the correct app versions. Sign up now for a free 30-day trial of VMDR for Mobile Devices.

Tags: